Experts fear the actual number of K–12 cyber incidents remains unknown due to weak legal requirements and districts’ concerns about bad press.
Rebecca TorchiaRebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.
Listen PauseDespite more government interest in K–12 organizations’ cybersecurity infrastructure, not to mention higher thresholds for cyber insurance, an Emsisoft report found a 15 percent increase in attacks against educational institutions in which data was exfiltrated.
“Data was exfiltrated in at least 58 incidents (65 percent) compared to in 44 incidents the previous year (50 percent),” the report noted. Ransomware potentially impacted 1,981 schools in 2022, compared with 1,043 schools that were potentially impacted the previous year.
Even with K–12 IT teams working hard to protect their districts’ data from attacks, there’s concern that these numbers don’t paint a full picture of the cyberthreats facing education.
In its 2022 Annual Report, the K12 Security Information Exchange noted that a decrease in cyberattacks between 2020 and 2021 could be the result of underreporting. The K12 SIX report, “The State of K–12 Cybersecurity: Year in Review,” notes that “the smaller number of incidents reported during 2021 may instead reflect a concerning shift away from public disclosure, undermining the ability of independent researchers … to accurately assess trends and issues.”
The shift may be due to a desire to avoid negative attention, says Karen Sorady, vice president for member engagement at the Multi-State Information Sharing and Analysis Center. “There’s fear because people don’t want to be exposed for having fallen victim to something they shouldn’t have.”
Districts may neglect to disclose incidents to avoid ire from parents and the community, in addition to gaining infamy from media attention. While the legal reporting requirements for educational institutions are weak, there are many benefits to reporting cyberthreats and attacks when they occur.
In March 2021, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law, requiring “owners and operators of critical infrastructure” to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency within 72 and 24 hours, respectively.
Education, however, is not considered “critical infrastructure” as defined by CISA. The agency’s requirements apply only to:
The new legislation does align with a larger trend that Sorady sees in underreporting. “It’s not limited to schools,” she says. “In general, there’s underreporting of cyber incidents across the board, in government and in the private sector as well.”
The total number of local governments, educational institutions and healthcare providers impacted by ransomware in the 2022 calendar year
Source: emsisoft.com “The State of Ransomware in the U.S.: Report and Statistics 2022,” Jan. 2, 2023While Freedom of Information Act requests can be used to discern information on cyberattacks against K–12 institutions, as noted by the K12 SIX report, schools generally are not obligated to report these incidents.
The Emsisoft report lists its sources as “disclosure statements, press reports, the dark web and third-party information feeds,” adding that “some incidents will have escaped our attention, and so all numbers should be considered to be minimums.”
While bad press may be the driving force behind the trend toward secrecy, it’s imperative for school leadership to understand the importance of publicly disclosing cyberattacks.
When schools report cyberattacks, it gives experts a better idea of where the attacks are coming from and what the cybercriminals are targeting.
“The more data we have, the more patterns that will emerge,” Sorady says. “Then, we can try to predict what the next impact might be or where the next attack may occur. It feeds into our intelligence so we can try to get in front of attacks, as opposed to always responding afterwards.”
Reporting cyberattacks can also help potential victims protect themselves in the event their data is compromised. This includes students and teachers, but also parents, school staff and other community members.
“We need to enact disclosure requirements for school cyber incidents so there is a better research base about how — and how frequently — schools are being compromised, and so potential victims can protect themselves in a timely manner from harms like identity theft and fraud,” said Doug Levin, co-founder and national director of K12 SIX, in an interview with EducationWeek.